crypto/tls: add OCSP response to ConnectionState

The OCSP response is currently only exposed via a method on Conn,
which makes it inaccessible when using wrappers like net/http. The
ConnectionState structure is typically available even when using
wrappers and contains many of the other handshake details, so this
change exposes the stapled OCSP response in that structure.

Change-Id: If8dab49292566912c615d816321b4353e711f71f
Reviewed-on: https://go-review.googlesource.com/9361
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>

diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 4cce5085f49b84acbf824628b34b651948d273e6..929c8ef4da5eef356e9e3a0a9a09627c14baccc4 100644 (file)
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -169,6 +169,7 @@ type ConnectionState struct {
        PeerCertificates            []*x509.Certificate   // certificate chain presented by remote peer
        VerifiedChains              [][]*x509.Certificate // verified chains built from PeerCertificates
        SignedCertificateTimestamps [][]byte              // SCTs from the server, if any
+       OCSPResponse                []byte                // stapled OCSP response from server, if any
 
        // TLSUnique contains the "tls-unique" channel binding value (see RFC
        // 5929, section 3). For resumed sessions this value will be nil

diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go
index c7b30a5d7238bcde16eccdbcbeb874ba5953add2..cad471859f5872a8437b1cc0d84e38ac30755a06 100644 (file)
--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
@@ -995,6 +995,7 @@ func (c *Conn) ConnectionState() ConnectionState {
                state.VerifiedChains = c.verifiedChains
                state.ServerName = c.serverName
                state.SignedCertificateTimestamps = c.scts
+               state.OCSPResponse = c.ocspResponse
                if !c.didResume {
                        state.TLSUnique = c.firstFinished[:]
                }